Skip to content

Walk me through what Windows event IDs 4624, 4625, and 4688 mean and how you would use them in an investigation.

Short answer

4624 is a successful logon, 4625 is a failed logon, and 4688 is a process creation. In an investigation you use 4625 to spot credential attacks, 4624 (with its logon type and source) to confirm a successful access and how it happened, and 4688 to see what was actually executed, ideally with command-line auditing enabled.

Windows security event logs are bread-and-butter for a SOC analyst, and these three IDs come up constantly. Interviewers ask this to confirm you can read the logs first-hand rather than relying entirely on a tool to interpret them.

4624 — successful logon

Event 4624 records a successful logon. The most important field is the logon type, which tells you how the session was created: type 2 (interactive, at the keyboard), type 3 (network, e.g. accessing a share), type 10 (RemoteInteractive / RDP), and type 5 (service). It also records the source account, source IP, and authentication package. A type 10 logon from an unexpected external IP, for example, is a strong RDP-compromise signal.

4625 — failed logon

Event 4625 is a failed logon, the workhorse for spotting credential attacks. The status/sub-status codes explain why it failed (bad password, disabled account, account locked out). Many 4625s against one account suggest brute force; a few each across many accounts suggest password spray.

4688 — process creation

Event 4688 records a new process. This is where you see what ran. Critically, with command-line auditing enabled, 4688 captures the full command line — invaluable for catching encoded PowerShell, rundll32 abuse, or living-off-the-land binaries. Pair it with the parent process to spot suspicious chains like Word spawning cmd.exe.

Chaining them together

The real power is correlation: a burst of 4625s followed by a 4624 from the same source means a credential attack succeeded; following that account into 4688 events shows what the attacker did next.

Why this matters

Being able to read these events and their key fields — not just recite the numbers — shows an interviewer you can investigate a Windows host hands-on, which is core SOC work.

Likely follow-ups

  • What is a logon type and why does type 3 versus type 10 matter?
  • Why is command-line auditing important for 4688 events?
  • How would you chain 4625 then 4624 to spot a successful brute force?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.